Lab that Tests and Certifies Voting Machines Suspended

Share

Lab that Tests and Certifies Voting Machines Suspended

An independent lab that tests and certifies voting machines is being suspended by the federal Election Assistance Commission from testing voting systems for failing to conform to procedures and requirements set by the National Institute of Standards and Technology (NIST).

The Colorado-based SysTest Labs is an independent lab that has been accredited for testing voting systems for federal certification. But according to the EAC, which assumed oversight responsibility for the testing and certification process only in 2006, SysTest failed to create and validate test methods, maintain proper documentation of its testing and employ properly trained or qualified personnel.

The lab was first suspended by NIST, which is charged with auditing labs on the EAC's behalf through its National Voluntary Laboratory Accreditation Program. SysTest has three days to respond to the EAC, though even if it is suspended it can get its accreditation restored if it later proves it can meet the NIST standards.

In addition to SysTest, there are four other labs accredited for testing voting systems. They are Wyle Laboratories and CIBER of Huntsville, Alabama; iBeta Quality Assurance in Denver, Colorado; and InfoGard Labs in San Luis Obispo, California.

Ciber previously ran afoul of requirements and was denied an interim accreditation that the EAC gave labs during the transition period when it assumed oversight responsibility of testing from the National Association of State Election Directors. The EAC found that Ciber had poor quality assurance and failed to maintain adequate documentation of testing.

Before 1990, the United States had no standards for testing and evaluating voting equipment. Anyone who wanted to make a voting system and sell it to election officials could do so. In 1990, the Federal Election Commission addressed this by establishing national standards for designing and testing voting equipment.

The standards, however, were little more than "shake 'n' bake" tests to measure how a system performed through extreme temperatures and jostling and whether it did what the company claimed it could do. The standards also exempted any COTS software and components used in a voting system from being reviewed and tested.

The standards were revised in 2002, 2005 and 2007. But it's the 1990 and 2002 standards by which voting machines used in elections today were certified. These standards were used to pass touch-screen voting machines made by Diebold Election Systems that were found, in 2003, to – among other things – have a hard-coded password (1111) in the source code that was used to access every one of the company's voting systems.

In 1992, NASED, an informal association of election administrators, assumed the voluntary task of accrediting labs and overseeing the testing process along with a Texas-based non-profit called the Election Center, which handled many of the administrative tasks for pushing the machines through testing and tracking their certifications.

Wyle Laboratories became the first lab to test voting equipment in 1994. It largely focused on hardware and firmware. Ciber and SysTest began testing systems later on. Ciber focused on software review and testing, while SysTest began testing software in 2001 then added hardware and firmware to its repertoire. Some states also conducted their own tests of systems before giving them state certification, but this generally did not include a source code review of the systems, just a functional test to see if the machines worked properly.

The federal standards and testing are voluntary guidelines, and states are not required to have their systems meet the standards or undergo federal testing, but most of them do require it anyway.

Election officials have always claimed that federal and state testing were rigorous and pointed to them as proof that voting systems could not have flaws. Since the testing and reports weren't transparent, there was little proof anyone could offer to counter them.

Under the previous system of testing and certification, the testing was secretive and was paid for by the voting machine companies who forced the labs to sign non-disclosure agreements. This meant that no one but the voting machine vendors had access to reports detailing problems the testers uncovered. Even computer security experts hired by states to evaluate systems before buying them could not obtain anything but the most rudimentary test reports.

All that will change under the EAC testing and certification program. Voting machine vendors will contribute money to a fund from which the labs will be paid, and test reports will be made public to the extent that federal law allows it. This is all still theoretical, however, since the program has taken a long time to get going. Two years into it, there is still no voting system certified under it.

[REMINDER TO VOTERS: If you have problems casting a ballot, please contact us at vote@wired.com or add a report about your issue to our election map so we can track and investigate problems that come up. If you're adding a report to the map, please provide as much detail as you can to make it possible for us to verify the information. If you can provide us with your name and contact information to follow up with you and get more details, that would be even better. If you don't feel comfortable putting your name on the map, contact us at vote@wired.com.]